AT&T Breach by Vendor Awakens New Insider Threat Concerns

Another large and famous company suffered a data breach, allegedly caused by a third-party vendor. The company was AT&T, and this breach could have serious implications for businesses.

According to eSecurity Planet, AT&T sent out a letter to its customers, which stated:

We recently determined that employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization between April 9 and 21, 2014. AT&T believes the employees accessed your account as part of an effort to request codes from AT&T that are used to 'unlock' AT&T mobile phones in the secondary mobile phone market so that those devices can then be activated with other telecommunications providers.

The breach happened in April and compromised customer personal identification information, such as Social Security numbers and call records. Fierce Wireless explained why unlocking a phone is useful for thieves:

Carriers often use software to lock phones to their networks but can unlock them for customers if subscribers request an "unlock code" from carriers. An unlocked phone can be moved to another network, though that does not mean that it will work exactly the same way on another network due to differences in the spectrum bands used by carriers, and the corresponding, radios and chipsets they have in their devices. In the U.S., AT&T and T-Mobile US have the most similar networks, and unlocked phones are also valuable on the secondary market around the world.

The AT&T data breach is a combination of three serious security concerns: third-party vendors, insider attacks and BYOD.

I’ve covered BYOD security concerns before, and while no one is talking about the unlocked phones being at risk, I think any time your phone account is compromised, you have to worry about the data that is stored or accessed through your device. It’s just another issue to pile on the growing list of BYOD problems.

Insider threats have also become a hot topic in the past year. Forrester research from late last year shows that insider threats are the top cause of security breaches. IT Business Edge’s Don Tennant added that the recent Edward Snowden reemergence is a reminder of just how dangerous insider threats can be.

But I think the real red flag in this incident is the third-party vendor threat. It’s one that we don’t think about often enough. In fact, Alberto Solino, technical program manager for Core Security, said to me in an email:

Once again we see companies failing to understand the risks that come along with third-party access and facing a crisis that may have been prevented by proactively seeking out or understanding potential attack paths. You can’t make assumptions when it comes to security. You have to find these attack paths and validate them before someone else does or your business and most critical assets will always be at risk.

A company’s attack-surface grows as an exponent of the reliance on partners, outsourcing and even SaaS. They are relying on not only their security policy and enforcement, but also of their partner’s. It stretches the trust-boundaries beyond the enterprise.

Someone told me once that if you rely on third parties for vendor services or as consultants, your network is only as secure as that third party’s security. Companies aren’t going to stop using third parties, of course, and insider threats may be the hardest threats to monitor. But the AT&T breach is a good reminder to reevaluate how much access these third parties have to your network and what security plans are in place to deal with that type of attack.